Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
134s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
20/01/2025, 03:30
Behavioral task
behavioral1
Sample
4f3b59864c18a8d1a8add12e29dfd6293d67c07ecbd0bf9b4ae9e34294bc2668.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
4f3b59864c18a8d1a8add12e29dfd6293d67c07ecbd0bf9b4ae9e34294bc2668.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral3
Sample
Smart Binder v2.0 By Th3 Exploiter.exe
Resource
win7-20240903-en
Behavioral task
behavioral4
Sample
Smart Binder v2.0 By Th3 Exploiter.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral5
Sample
SpyNet.exe
Resource
win7-20240903-en
General
-
Target
4f3b59864c18a8d1a8add12e29dfd6293d67c07ecbd0bf9b4ae9e34294bc2668.exe
-
Size
1.9MB
-
MD5
e4c2350adc7cb595f67e309d52b2778e
-
SHA1
08a0784691beeb777d864279612a7237075f94ee
-
SHA256
4f3b59864c18a8d1a8add12e29dfd6293d67c07ecbd0bf9b4ae9e34294bc2668
-
SHA512
8b39225020671ce408deba0b8d0e91dfba51e64552b8b18d9f241f2250ef72769fd55cf2c97047dc3921613d0762a86a93be92f64766b829090c93da795ca8ad
-
SSDEEP
49152:hd6e6x01stTTAkJ/4p3ZpoWJX+vS6ljM3XyF2:hg1xThKJZpoWJO6UjaCA
Malware Config
Extracted
njrat
0.7d
HacKed
amr555s.no-ip.org:5554
f87a088fbd7c06eef1f5a49864be5208
-
reg_key
f87a088fbd7c06eef1f5a49864be5208
-
splitter
|'|'|
Signatures
-
Njrat family
-
Modifies Windows Firewall 2 TTPs 1 IoCs
pid Process 2672 netsh.exe -
Executes dropped EXE 3 IoCs
pid Process 2924 Smart Binder v2.0 By Th3 Exploiter.exe 2676 SpyNet.exe 1560 server.exe -
Loads dropped DLL 4 IoCs
pid Process 2776 4f3b59864c18a8d1a8add12e29dfd6293d67c07ecbd0bf9b4ae9e34294bc2668.exe 2776 4f3b59864c18a8d1a8add12e29dfd6293d67c07ecbd0bf9b4ae9e34294bc2668.exe 2776 4f3b59864c18a8d1a8add12e29dfd6293d67c07ecbd0bf9b4ae9e34294bc2668.exe 2924 Smart Binder v2.0 By Th3 Exploiter.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\f87a088fbd7c06eef1f5a49864be5208 = "\"C:\\Users\\Admin\\AppData\\Roaming\\server.exe\" .." server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\f87a088fbd7c06eef1f5a49864be5208 = "\"C:\\Users\\Admin\\AppData\\Roaming\\server.exe\" .." server.exe -
resource yara_rule behavioral1/files/0x002c000000016d70-9.dat upx behavioral1/memory/2776-16-0x0000000002900000-0x0000000002E57000-memory.dmp upx behavioral1/memory/2676-18-0x0000000000400000-0x0000000000957000-memory.dmp upx behavioral1/memory/2676-1102-0x0000000000400000-0x0000000000957000-memory.dmp upx behavioral1/memory/2676-1103-0x0000000000400000-0x0000000000957000-memory.dmp upx behavioral1/memory/2676-1104-0x0000000000400000-0x0000000000957000-memory.dmp upx behavioral1/memory/2676-1105-0x0000000000400000-0x0000000000957000-memory.dmp upx behavioral1/memory/2676-1106-0x0000000000400000-0x0000000000957000-memory.dmp upx behavioral1/memory/2676-1107-0x0000000000400000-0x0000000000957000-memory.dmp upx behavioral1/memory/2676-1108-0x0000000000400000-0x0000000000957000-memory.dmp upx behavioral1/memory/2676-1109-0x0000000000400000-0x0000000000957000-memory.dmp upx behavioral1/memory/2676-1110-0x0000000000400000-0x0000000000957000-memory.dmp upx behavioral1/memory/2676-1111-0x0000000000400000-0x0000000000957000-memory.dmp upx behavioral1/memory/2676-1112-0x0000000000400000-0x0000000000957000-memory.dmp upx behavioral1/memory/2676-1113-0x0000000000400000-0x0000000000957000-memory.dmp upx behavioral1/memory/2676-1114-0x0000000000400000-0x0000000000957000-memory.dmp upx behavioral1/memory/2676-1115-0x0000000000400000-0x0000000000957000-memory.dmp upx behavioral1/memory/2676-1116-0x0000000000400000-0x0000000000957000-memory.dmp upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
description ioc Process Key queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe -
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4f3b59864c18a8d1a8add12e29dfd6293d67c07ecbd0bf9b4ae9e34294bc2668.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Smart Binder v2.0 By Th3 Exploiter.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language SpyNet.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language server.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 SpyNet.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString SpyNet.exe -
Suspicious use of AdjustPrivilegeToken 35 IoCs
description pid Process Token: SeDebugPrivilege 1560 server.exe Token: 33 1560 server.exe Token: SeIncBasePriorityPrivilege 1560 server.exe Token: 33 1560 server.exe Token: SeIncBasePriorityPrivilege 1560 server.exe Token: 33 1560 server.exe Token: SeIncBasePriorityPrivilege 1560 server.exe Token: 33 1560 server.exe Token: SeIncBasePriorityPrivilege 1560 server.exe Token: 33 1560 server.exe Token: SeIncBasePriorityPrivilege 1560 server.exe Token: 33 1560 server.exe Token: SeIncBasePriorityPrivilege 1560 server.exe Token: 33 1560 server.exe Token: SeIncBasePriorityPrivilege 1560 server.exe Token: 33 1560 server.exe Token: SeIncBasePriorityPrivilege 1560 server.exe Token: 33 1560 server.exe Token: SeIncBasePriorityPrivilege 1560 server.exe Token: 33 1560 server.exe Token: SeIncBasePriorityPrivilege 1560 server.exe Token: 33 1560 server.exe Token: SeIncBasePriorityPrivilege 1560 server.exe Token: 33 1560 server.exe Token: SeIncBasePriorityPrivilege 1560 server.exe Token: 33 1560 server.exe Token: SeIncBasePriorityPrivilege 1560 server.exe Token: 33 1560 server.exe Token: SeIncBasePriorityPrivilege 1560 server.exe Token: 33 1560 server.exe Token: SeIncBasePriorityPrivilege 1560 server.exe Token: 33 1560 server.exe Token: SeIncBasePriorityPrivilege 1560 server.exe Token: 33 1560 server.exe Token: SeIncBasePriorityPrivilege 1560 server.exe -
Suspicious use of FindShellTrayWindow 6 IoCs
pid Process 2676 SpyNet.exe 2676 SpyNet.exe 2676 SpyNet.exe 2676 SpyNet.exe 2676 SpyNet.exe 2676 SpyNet.exe -
Suspicious use of SendNotifyMessage 6 IoCs
pid Process 2676 SpyNet.exe 2676 SpyNet.exe 2676 SpyNet.exe 2676 SpyNet.exe 2676 SpyNet.exe 2676 SpyNet.exe -
Suspicious use of WriteProcessMemory 20 IoCs
description pid Process procid_target PID 2776 wrote to memory of 2924 2776 4f3b59864c18a8d1a8add12e29dfd6293d67c07ecbd0bf9b4ae9e34294bc2668.exe 30 PID 2776 wrote to memory of 2924 2776 4f3b59864c18a8d1a8add12e29dfd6293d67c07ecbd0bf9b4ae9e34294bc2668.exe 30 PID 2776 wrote to memory of 2924 2776 4f3b59864c18a8d1a8add12e29dfd6293d67c07ecbd0bf9b4ae9e34294bc2668.exe 30 PID 2776 wrote to memory of 2924 2776 4f3b59864c18a8d1a8add12e29dfd6293d67c07ecbd0bf9b4ae9e34294bc2668.exe 30 PID 2776 wrote to memory of 2676 2776 4f3b59864c18a8d1a8add12e29dfd6293d67c07ecbd0bf9b4ae9e34294bc2668.exe 31 PID 2776 wrote to memory of 2676 2776 4f3b59864c18a8d1a8add12e29dfd6293d67c07ecbd0bf9b4ae9e34294bc2668.exe 31 PID 2776 wrote to memory of 2676 2776 4f3b59864c18a8d1a8add12e29dfd6293d67c07ecbd0bf9b4ae9e34294bc2668.exe 31 PID 2776 wrote to memory of 2676 2776 4f3b59864c18a8d1a8add12e29dfd6293d67c07ecbd0bf9b4ae9e34294bc2668.exe 31 PID 2676 wrote to memory of 1576 2676 SpyNet.exe 32 PID 2676 wrote to memory of 1576 2676 SpyNet.exe 32 PID 2676 wrote to memory of 1576 2676 SpyNet.exe 32 PID 2676 wrote to memory of 1576 2676 SpyNet.exe 32 PID 2924 wrote to memory of 1560 2924 Smart Binder v2.0 By Th3 Exploiter.exe 34 PID 2924 wrote to memory of 1560 2924 Smart Binder v2.0 By Th3 Exploiter.exe 34 PID 2924 wrote to memory of 1560 2924 Smart Binder v2.0 By Th3 Exploiter.exe 34 PID 2924 wrote to memory of 1560 2924 Smart Binder v2.0 By Th3 Exploiter.exe 34 PID 1560 wrote to memory of 2672 1560 server.exe 36 PID 1560 wrote to memory of 2672 1560 server.exe 36 PID 1560 wrote to memory of 2672 1560 server.exe 36 PID 1560 wrote to memory of 2672 1560 server.exe 36
Processes
-
C:\Users\Admin\AppData\Local\Temp\4f3b59864c18a8d1a8add12e29dfd6293d67c07ecbd0bf9b4ae9e34294bc2668.exe"C:\Users\Admin\AppData\Local\Temp\4f3b59864c18a8d1a8add12e29dfd6293d67c07ecbd0bf9b4ae9e34294bc2668.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2776 -
C:\Users\Admin\AppData\Local\Temp\Smart Binder v2.0 By Th3 Exploiter.exe"C:\Users\Admin\AppData\Local\Temp\Smart Binder v2.0 By Th3 Exploiter.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2924 -
C:\Users\Admin\AppData\Roaming\server.exe"C:\Users\Admin\AppData\Roaming\server.exe"3⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1560 -
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\server.exe" "server.exe" ENABLE4⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:2672
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\SpyNet.exe"C:\Users\Admin\AppData\Local\Temp\SpyNet.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2676 -
C:\Windows\SysWOW64\cscript.exe"C:\Windows\system32\cscript.exe" "C:\Users\Admin\AppData\Local\Temp\teste.vbs"3⤵
- System Location Discovery: System Language Discovery
PID:1576
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Defense Evasion
Impair Defenses
1Disable or Modify System Firewall
1Modify Registry
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
132KB
MD599a4facec202969f7d59e1688445443d
SHA196da688828e9280103d4a34b720fd9cfba0cc2cf
SHA256ecc8c7fc782eb35711c39cd322d68aa9663f3d0eaa78df99ef987904c6a8e3bb
SHA512a62d189dbe28df7165f7a4db08b5a4882920529f0032844c77b9dfa6f959006012444a52691698b8b6100c52e7d5aad1b3fa9da9c0beb6043332fbeb909f9740
-
Filesize
14KB
MD5ee9826fd3883b9756896baed5d076cc6
SHA1d1c829cabcb967410e03489723d9e51b9549d6f6
SHA256e06ff3e2b4cf78d6147d00dbfd00066751d1d6680b3dd672e861574741a894d9
SHA512404cfe3632fc3614a0e686504a2edcdf984aab20afc8fc4c7785d76bd52bf466078e756838c2ce5350439ad128756e55e1c3b12f3badd70fba8e74d171a05538
-
Filesize
1KB
MD5448a49c2d7253c927e820056e9e7ea8b
SHA1c7171c7b597beea4bb584319ddac80eadee5d3be
SHA256afcc1b53d0e2ef177754d4f6ae9ab391e7115e39fc73caaabcb3cd585c2e4c7c
SHA51254dc9c1eba0154aa648ec317c51642fd88d7dcd50b4e5f1eea5c67e1c7db91a7e8cb97d0b538e4a280d91a65fea8baa888734960fbf636b7067ac407840a5224
-
Filesize
23KB
MD5f836c26e8aae6e2ba4efb47af6cecf4f
SHA165d32c3ed9f9f03033efb50fe8275a3643755f79
SHA256c244ca57170c47a61d79092c13a038477a904a416b492adeb5aabe89d1620c30
SHA512fa8e33791059323c754589a779b167d21cf515fb786c86a84944cf7fc8784be71842db8ee12953855141d99aab9aa707fbfd972d7229156f73168284dcba8f47
-
Filesize
2B
MD581051bcc2cf1bedf378224b0a93e2877
SHA1ba8ab5a0280b953aa97435ff8946cbcbb2755a27
SHA2567eb70257593da06f682a3ddda54a9d260d4fc514f645237f5ca74b08f8da61a6
SHA5121b302a2f1e624a5fb5ad94ddc4e5f8bfd74d26fa37512d0e5face303d8c40eee0d0ffa3649f5da43f439914d128166cb6c4774a7caa3b174d7535451eb697b5d
-
Filesize
841B
MD5615964e5ab63a70f0e205a476c48e356
SHA1292620321db69d57ba23fa98d2a89484ddcf83d0
SHA25638a2c0e90a7c86eb5355710dd205f22f84dbba59e688cd3da6394af8c924a102
SHA51269886825baf2075f8e6cdc50b0b34f92d5d06d42db4586396fb3db806fef79986ba5754c7b1251b007cde4f943efe9e3d27800dd7e15f8084fd7e7e6046c3ccc
-
Filesize
2.0MB
MD598de7bcad1ba2caf74007bd97bc2b505
SHA18a79d06159a339313b810f23835b8417429dd356
SHA256e4b3b3e72bd3bf4052a3136cb811ea54923bc2d7807709992e0345743d49ced8
SHA512ef57cc4f0ad4bf1f54baaf7213bf868c418eebfb0eee3c32ff376b67d5d5337c35a94a1418951d82aae371820ce37eade7cf0a74ce54a4198e18327bd232a35d